Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.usebila.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

The Audit Trail gives you complete visibility into everything that happens inside your account. Every login, setting change, and API request is logged, giving you a full, tamper-evident record for security reviews, compliance checks, and incident investigation.
Only a Merchant Admin can access the Audit Trail.

Step 1: Open the Audit Trail

  1. Click Settings at the bottom of the left sidebar.
  2. Select the Audit Trail tab from the top navigation bar.
The dashboard displays a chronological list of all account activity, including the timestamp, acting admin, HTTP method, endpoint accessed, and request status.

Step 2: Search and Filter Logs

Use the filters at the top of the dashboard to narrow down entries:
FilterHow to Use
Search barSearch by keyword, endpoint, or action description
Admin emailFilter to see all actions performed by a specific team member
IP addressTrack activity originating from a specific device or network location
Date rangeSet a Start date and End date to isolate a specific time window
HTTP methodFilter by action type: view, create, update, or delete
For security investigations, combine Admin email with a Date range to reconstruct exactly what a specific team member did during a given period.

Step 3: Understand HTTP Methods

Every log entry includes a Method that describes the type of action performed:
MethodAction TypeWhat It Means
GETView / ReadThe user viewed information — checking a balance, loading a list, or opening a record
POSTCreateThe user added something new — creating a payment, inviting an admin, or generating an API key
PUTUpdate / ReplaceThe user replaced an existing setting or record entirely
PATCHModifyThe user made a targeted edit to part of an existing record or setting
DELETERemoveThe user deleted a record, API key, or team member from the system
DELETE and PUT actions are the highest-risk entries in your audit log. Review these immediately if you notice unexpected changes to settings, team members, or API keys.

Step 4: View Detailed Log Entries

To inspect the full details of any specific action:
  1. Click the eye icon in the Actions column next to the log entry.
  2. The Audit log details side panel opens.

Request Summary

FieldDescription
Method badgeThe HTTP method used (e.g., GET, POST, DELETE)
EndpointThe full API path accessed
DurationHow long the request took to complete, in milliseconds
IP AddressThe network address the request originated from
TimestampThe exact date and time the action occurred
User AgentThe browser and operating system used

Response Body

The Response body tab shows the raw API response returned for that request. This is the most detailed view available for any logged action. 
{
  "data": [
    {
      "recipient": "+2609***000",
      "event": "payment.received",
      "status": "DELIVERED",
      "messagePreview": "You received ZMW 250 from 0960000001. Ref: DEP-abc123-001. Balance: ZMW 1,250.",
      "providerRef": "MTN-ZM-00123456"
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 4,
    "totalPages": 1
  }
}
A providerRef of null means the message was rejected before it reached the mobile network. Verify the recipient’s contact details in Admins or Cashiers.

Location

Switch to the Location tab to see the geographic and network origin of the action:
FieldDescription
CityThe city associated with the request’s IP address
CountryThe country the request originated from
ISPThe Internet Service Provider linked to that IP address
If you see a City, Country, or ISP that doesn’t match your team’s known locations, treat it as a potential security incident. Review the admin’s account, reset their password, and consider deactivating the account while you investigate.

Security Investigation Reference

What You SeeWhat to Do
DELETE action on an admin or API key you didn’t authoriseCheck User Info for the acting admin and reset their credentials immediately
POST to a payments endpoint at an unusual timeCross-reference with Location to verify the request came from a known device
Multiple GET requests from an unfamiliar IPCheck ISP and City — could indicate credential sharing or a compromised session
providerRef: null on critical alertsVerify the recipient’s phone number is correct in their profile
Actions from an admin who has left the businessDeactivate their account immediately via Settings → Admins

Next Steps

SMS Logs

Monitor SMS alert delivery for your team and customers.

Team Members

Manage who has access to your account and at what level.